Re: Patch "vlan: Fix VLAN 0 memory leak" has been added to the 6.4-stable tree

Ido Schimmel <idosch@xxxxxxxxxx> · Sun, 13 Aug 2023 10:48:56 +0300

+ stable

On Sat, Aug 12, 2023 at 08:02:46PM +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     vlan: Fix VLAN 0 memory leak
> 
> to the 6.4-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      vlan-fix-vlan-0-memory-leak.patch
> and it can be found in the queue-6.4 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@xxxxxxxxxxxxxxx> know about it.

Please do not add the patch to the stable tree. A problem was found and
a revert was posted:
https://patchwork.kernel.org/project/netdevbpf/patch/20230811154523.1877590-1-vladbu@xxxxxxxxxx/

In addition to 6.4, please do not apply to: 6.1, 5.15, 5.10, 5.4, 4.19,
4.14

Thanks

> 
> 
> From 718cb09aaa6fa78cc8124e9517efbc6c92665384 Mon Sep 17 00:00:00 2001
> From: Vlad Buslov <vladbu@xxxxxxxxxx>
> Date: Tue, 8 Aug 2023 11:35:21 +0200
> Subject: vlan: Fix VLAN 0 memory leak
> 
> From: Vlad Buslov <vladbu@xxxxxxxxxx>
> 
> commit 718cb09aaa6fa78cc8124e9517efbc6c92665384 upstream.
> 
> The referenced commit intended to fix memleak of VLAN 0 that is implicitly
> created on devices with NETIF_F_HW_VLAN_CTAG_FILTER feature. However, it
> doesn't take into account that the feature can be re-set during the
> netdevice lifetime which will cause memory leak if feature is disabled
> during the device deletion as illustrated by [0]. Fix the leak by
> unconditionally deleting VLAN 0 on NETDEV_DOWN event.
> 
> [0]:
> > modprobe 8021q
> > ip l set dev eth2 up
> > ethtool -K eth2 rx-vlan-filter off
> > modprobe -r mlx5_ib
> > modprobe -r mlx5_core
> > cat /sys/kernel/debug/kmemleak
> unreferenced object 0xffff888103dcd900 (size 256):
>   comm "ip", pid 1490, jiffies 4294907305 (age 325.364s)
>   hex dump (first 32 bytes):
>     00 80 5d 03 81 88 ff ff 00 00 00 00 00 00 00 00  ..].............
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<00000000899f3bb9>] kmalloc_trace+0x25/0x80
>     [<000000002889a7a2>] vlan_vid_add+0xa0/0x210
>     [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q]
>     [<000000009a0716b1>] notifier_call_chain+0x35/0xb0
>     [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0
>     [<0000000053d2b05d>] dev_change_flags+0x4d/0x60
>     [<00000000982807e9>] do_setlink+0x28d/0x10a0
>     [<0000000058c1be00>] __rtnl_newlink+0x545/0x980
>     [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70
>     [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390
>     [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100
>     [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0
>     [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0
>     [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60
>     [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200
>     [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0
> unreferenced object 0xffff88813354fde0 (size 32):
>   comm "ip", pid 1490, jiffies 4294907305 (age 325.364s)
>   hex dump (first 32 bytes):
>     a0 d9 dc 03 81 88 ff ff a0 d9 dc 03 81 88 ff ff  ................
>     81 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<00000000899f3bb9>] kmalloc_trace+0x25/0x80
>     [<000000002da64724>] vlan_vid_add+0xdf/0x210
>     [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q]
>     [<000000009a0716b1>] notifier_call_chain+0x35/0xb0
>     [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0
>     [<0000000053d2b05d>] dev_change_flags+0x4d/0x60
>     [<00000000982807e9>] do_setlink+0x28d/0x10a0
>     [<0000000058c1be00>] __rtnl_newlink+0x545/0x980
>     [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70
>     [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390
>     [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100
>     [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0
>     [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0
>     [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60
>     [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200
>     [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0
> 
> Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
> Reviewed-by: Ido Schimmel <idosch@xxxxxxxxxx>
> Signed-off-by: Vlad Buslov <vladbu@xxxxxxxxxx>
> Link: https://lore.kernel.org/r/20230808093521.1468929-1-vladbu@xxxxxxxxxx
> Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> ---
>  net/8021q/vlan.c |    3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> --- a/net/8021q/vlan.c
> +++ b/net/8021q/vlan.c
> @@ -384,8 +384,7 @@ static int vlan_device_event(struct noti
>  			dev->name);
>  		vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
>  	}
> -	if (event == NETDEV_DOWN &&
> -	    (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
> +	if (event == NETDEV_DOWN)
>  		vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
>  
>  	vlan_info = rtnl_dereference(dev->vlan_info);
> 
> 
> Patches currently in stable-queue which might be from vladbu@xxxxxxxxxx are
> 
> queue-6.4/vlan-fix-vlan-0-memory-leak.patch